taralizer

command module

v0.1.10 Latest Latest Go to latest Published: Jan 7, 2023 License: Apache-2.0 Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/devmatic-it/taralizer

Links

Open Source Insights

README ¶

Taralizer - The Threat and Risk Analyzer

The following project performs a Threat and Risk Analysis based on an architecture model defined through simple YAML file. We aim to implement the OWASP Application Security Verification Standard (ASVS)(https://owasp.org/www-project-application-security-verification-standard/) and also destribute their great database (https://github.com/OWASP/ASVS/raw/v4.0.2/4.0/docs_en/OWASP%20Application%20Security%20Verification%20Standard%204.0.2-en.csv). Furthermore, we use and distribute MITRE Common Weakness Enumeration (https://cwe.mitre.org/data/downloads.html) as a way to classify weaknesses.

Motivation

The taralizer project was highly inspired by the Threagile (https://threagile.io) project which is a first class threat modelling tool for OWASP ASVP. Unfortunately, Threagile has some limits in the customization of reports and the extendability with custom rules. Taralizer tries to overcome these limitations with the following approach:

Using Golang templating (https://golang.org/pkg/text/template/) for all reports and diagrams
Use the Open Policy Agent (OPA) engine (https://www.openpolicyagent.org) to allow extentabilty
use plantuml or graphviz dot to generate compelling diagrams
use of wkhtmltopdf to create PDF reports

Features

Taralizer currently provides the following features:

backward compatiblity with Threagile (https://threagile.io) model files
taralizer is packaged for all major devopment environments:
- MacOSX (x86_64, ARM64 M1)
- Linux (x86, x86_64, ARM64)
- Windows (x86, x86_64)
supports graphviz dot and plantuml flow charts

PlantUML GraphViz

support of PDF and HTML reports

PDF Report HTML Report

We demonstate the usage of Taralizer on the popular Bank of Anthos example application HERE

Installation

Getting Started

Download latest release for your platform: https://github.com/devmatic-it/taralizer/releases/latest
extract archive: unzip taralizer_X.Y.Z_linux_amd64.zip
create dataflow diagram diagram.png using graphviz: ./taralizer diagram ./examples/gcp/bank_of_anthos.yaml
create dataflow diagram diagram.png using plantuml: ./taralizer diagram ./examples/gcp/bank_of_anthos.yaml --engine plantuml
create example HTML report: ./taralizer report ./examples/gcp/bank_of_anthos.yaml
open examples HTML report report.htmlon browser
create example PDF report: ./taralizer report ./examples/gcp/bank_of_anthos.yaml --type pdf

Contribute

New Issues

Use the search tool before opening a new issue: https://github.com/devmatic-it/taralizer/issues
Please provide source code and commit fix if you found a bug.
Review existing issues and provide feedback or react to them.

Pull requests

Open your pull request against master: https://github.com/devmatic-it/taralizer/pulls
Your pull request should have no more than two commits, if not you should squash them.
It should pass all tests in the available continuous integrations systems such as TravisCI.
You should add/modify tests to cover your proposed code changes.
If your pull request contains a new feature, please document it on the https://github.com/devmatic-it/taralizer/blob/master/README.md

Credits

This work has been inspired and would not be possible without the following awesome open source projects:

Threagile - Agile Threat Modelling (https://threagile.io)
Open Policy Agent (https://www.openpolicyagent.org)
PlantUML (https://plantuml.com)
GraphViz (https://graphviz.org)
WKhtmltoPDF (https://wkhtmltopdf.org)
OWASP Application Security Verification Standard https://owasp.org/www-project-application-security-verification-standard/
Common Weakness Enumeration (https://cwe.mitre.org/index.html)
GoRleaser Builder Image (https://github.com/goreleaser/goreleaser)
Building a basic CI/CD pipeline for a Golang application using GitHub Actions (https://dev.to/brpaz/building-a-basic-ci-cd-pipeline-for-a-golang-application-using-github-actions-icj)

Documentation ¶

Overview ¶

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd
pkg
asvs Package asvs OWASP Application Security Verification Standard database Copyright 2021 taralizer authors	Package asvs OWASP Application Security Verification Standard database Copyright 2021 taralizer authors
cwe Package cwe Mitre Common Weekness Evaluation Copyright 2021 taralizer authors	Package cwe Mitre Common Weekness Evaluation Copyright 2021 taralizer authors
taralizer
terraform Package terraform import/export of terraform files Copyright 2021 taralizer authors	Package terraform import/export of terraform files Copyright 2021 taralizer authors

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL